STP and blocked ports

Hi,
I have five 3550s daisy-chained as a core hosting 2950s where the 2950s' Gig port are attached to different 3550s. Using IOS 12.20. No vlans. I noticed that sometimes a blocked port connecting the 2950 and 3550 is blocked at the 3550 instead of the 2950 (G0/12). Is this normal? Thanks

Follow the path to the root. The root port should not be constantly changing. Check if the root also changes when the root port changes. These blocking ports are known as Designated Port. These switches have a lower cost path to the Root that are called root port.
Take this topology for example:
SwA(root)
g0/1 g0/2
| |
| |
g0/1 g0/1
SwB SwC
g0/2-----g0/2
The drawing above shows SwA being the root and SwB and SwC are connected to one another via g0/2. The SwA being the root will have its gi0/1 and gi0/2 in forwarding mode and are called Designated Port. Both SwB and SwC will have their g0/1 in forwarding mode and are called root port. Now, either SwB or SwC's port gig 0/2 will be DP and the other NDP, this will be based on which one have a lower BID. Let's say the SwB have the lower BID (Bridge Priority + mac-address) than SwC. This means SwB's gig 0/2 will be DP thus will be forwarding and SwC's port gig 0/2 will be NDP and blocking. The only way this will change is if the cost of the path change, the path to the root had changed thus changing the cost and if the BPDU from SwB is not being received on SwC's gig 0/2 which will cause it to transition to DP and forward.

Similar Messages

  • Spanning tree and blocked ports

    Hello
    I have a network built with 5 3560 switches. They are linked together over 6 fiber gigabit links. Two of them are for redundancy. I set up STP and all works fine. STP root is on the same switch for all VLANs.
    But I'm wondering why blocked links are only show state blocked on one of the two connected switches. I've read the docu but didn't found a hint.
    Thanks for any comment.
    Thomas

    I guess your question in fact translates to: why is there only one side of my redundant link that is blocking instead of both ends. There are several possible answers to that:
    First, because blocking one side is enough;-)
    But the an explanation I prefer is to remind that STP cannot know that this link is a fiber going to a single neighbor bridge. This link could be connected to a hub, where on the top of the neighboring bridge there would be some hosts (PCs, routers etc...). To put it short, STP must provide connectivity to this link. That's why *every* link has a designated port that connects it to the root bridge.
    Hope this helps;-)
    Francois

  • IronPort S160/ASA5510 integration - PAC file and blocking Port 80

    We have successfully integrated our ASA5510 and IronPort S160 appliance with Active Directory and eDirectory.  We've configured AD to push IE settings to use the IronPort proxy.pac file.  Now we need to "Block" un-configured IE access to Port 80 traffic.
    In my ASA i have a firewall exception for our WAN IP ranges (source) to any Destination port tcp/http, tcp/https and domain.  If I remove the tcp/http from the exception "ALL" port 80 traffic stops, including those PCs configured to use the IronPort Poxy.pac file.
    So where have I gone wrong?  I want to block un-configured IE access to Port 80, forcing all users to pass through the IronPort appliance.

    I hate this job.  About 11:10 PM as I was trying to get ready for bed, I had the same thought.  Of course I had to test it out, so back to the VPN connection I went and added the filter permit for port 80 for the Ironport's ip address and viola it worked.  Thanks for answering my post just the same.

  • Mac Mail and blocked ports

    Hi,
    I work in a not-very-Mac-friendly school district, but use a Mac anyway. We've figured out how to open the correct ports, etc. for internet use (via Network Preferences) but still can't access email (on an MS Exchange server) or any POP mail (Yahoo) or .mac mail through the mail program. I'm guessing it's something with a port somewhere that needs to be opened. Any thoughts on what it might be, or how to open ports on Mail?
    Thanks for any help anyone might offer.
    -Widget

    From the client side, you don't need to open any ports in Sys Prefs Sharing at all. Opening ports there is only for dealing with inbound traffic that you didn't initiate and weren't expecting as a response to something, i.e., if you were a mail or web server. But you're not a server, you're a client. So close 'em. Plus, in Mail.app (or any other application for that matter), those port numbers (like 25 or 587 or 465 for smtp, or 110 or 995 for pop, or 143 or 993 for imap) are at the destination mailserver, not your computer.
    If you launched Terminal.app, "su {adminUserName}" and "sudo tcpdump -i en1" (en1 if wireless, en0, if ethernet cable) you will find that when you launch Mail and try to check mail or send mail, stuff from your computer is leaving your machine on a randomly chosen (by Mail.app) five-digit port number and it's at the destination server where these port numbers (25, 587, 465, 110, 995, 143, 993) have any meaning. Same holds true for all applications, e.g. Safari, port 80 refers to the web server, not what port on which you are sending out your browser request to the server. The (mail, web, other) server responds back from its port (25, 143, ..., 80, etc.) port to the random port number that your application chose.
    Your problem, most likely, is that your IT Dept is blocking outbound traffic destined for any "foreign" host addresses at ports like 25 or 143, that are NOT the host addresses of your IT Dept's own mailservers. They would be blocking this at their firewall to the internet. My work's IT Secret Police does this. So unless they relax their firewall restrictions, you're going to have to do something like use your cellphone as a dialup modem to access those mail accounts, or use webmail (since they probably aren't blocking all http (destination server) port 80 traffic -- although they could be blocking traffic addressed to specific host addresses like yahoo.com/webmail).

  • SGE2010 Does not block ports even with STP enabled

    Good day,
    We are experiencing bridge storms and network slow downs and we believe we have traced the issue down to users plugging a cat 5/6 cable between 2 ports on the wall both wired back to a SGE2010 switch.
    So we did a test - we plugged a single short cat 6 cable between 2 ports on a SGE2010, our access switch. Suprisingly, even with STP enabled, the switch DID NOT block one of the ports and in a few minutes the ENTIRE NETWORK was down, as CDP, STP, and ARP traffic became a multi-gigabit storm throughout the network.
    Why on earth does this switch not block a port that is obviosly looped?
    Every other cisco switch since I started on 1900XL's did this in 1999.
    Thanks!
    -Joe
    #19366

    Dear Joe,
    STP would conrol multiple links (for redundancy) between switches (endpoints) turning an inactive link on when the active goes down and preventing duplicate active links between them. More about STP at page 258 of the
    SFE-SGE2xxx Admin Guide PDF.
    The function you might be interested in is called "Storm Control" which limits the number of packets per second so to prevent the switch and the network from storms. See page 82 of the SFE-SGE2xxx Admin Guide PDF available here: http://www.cisco.com/en/US/docs/switches/lan/csbms/sfe2000/administration/guide/SFE-SGE2xxx_Admin_Guide.pdf
    Thanks and regards,
    Zsolt

  • EA6500 and Blocking Apps/Blocking Ports

    So I bought the EA6500 yesterday, to replace my E3200.
    Formerly, with the E3200, I was able to block applications on the router admin page, without blocking all internet access, under the "Access Restrictions" Tab. I could create access policies that allowed internet access to specific devices, while blocking port ranges/protocols for specific applicatons. while this didn't work for Skype, which jumps from one port to the other until it finds an open one, it worked perfectly for World of Warcraft. the primary target of my restrictions.
    in common with the old setup for the E3200, the new cloud login allows me to block internet access completely to a device. it also allows me to block websites to my heart's content, an improvement upon the old system, which stopped at four. but to my great surprise, it will not allow me to specify port blockages for specific apps for specific devices.
    amazingly, hile the new EA6500 is blessed with the added capability of actually recognizing applications by name, *it is only to give them greater priority*. the Media Prioritization tab lets you give a ton of your bandwith to specific apps, but won't let you throttle or block them. 
    Is there some way to work around this? Some alternative firmware? again, I don't want/need to block all internet access to a particular computer. I only need to block some apps (World of Warcraft, and Skype, possibly some torrents) by closing some ports.
    Is this possible?
    -Desperate in L.A.

    Why would they need to take away that feature? it seems I'm not the only one who wondered at this omission...
    http://homecommunity.cisco.com/t5/Social-Media-Support/Amazon-com-EA6500-This-is-extremely-difficult...

  • STP and Loop Guard

    Hi everyone, I've a question for you guys:
    Please check this topology: http://www.cisco.com/warp/public/473/84d.gif
    I've read that you must enable loop guard on every nondesignated port (root and alternate ports) to prevent unidirectional related loops. I understand the situation where switch C unblooks the AP port and cause a loop. But what if the link is not unidirectional, what if switch B has some problem and indeed switch C should forward traffic to the segment C-B? Is there a difference between the link going down (disconected)and just stop seeing BPDUs?
    Also, why would anyone configure loop guard on a root port? If for example, SWC stops seeing BPDUs from SWA, what would loop guard do? put the port in a block state or it would recalculate its Root port (port to SWB) and put the port to SWA into a designated state (after not receiving BPDS from SWA)? I'm very confused, any help would be greatly apretiated.
    Omar Montes

    The assumption made by STP is that if a link is not able to transmit BPDU, it is down. So if there is bidirectional link failure, the case is natively handled by STP. If there is only unidirectional link failure, you could end up with a unidirectional loop (which is about as bad as a bidirectional loop;-))
    Loopguard is relevant on each port that is supposed to continuously receive BPDU. If your root port stop receiving BPDU, STP will move it to designated and elect a new root port. This is ok if your old root port cannot receive and transmit traffic. However, if the link is unidirectional and the port does not get blocked by loopguard, you will have a loop through the old and the new root port (in one direction only, the old root port TX direction).
    Configuring loopguard on a designated port will not cause any problem anyway, so in fact you can configure loopguard blindly on all the port.
    The IEEE introduced a feature (the dispute mechanism) that works much better than loopguard in order to protect against unidirectional link failure. However, this mechanism requires an RSTP bpdu format. It is currently only implemented in MST on cisco switches (it will be soon available in rapid-pvst). No need to use loopguard with the latest MST code at least.
    Regards,
    Francois

  • Dot1q trunk causes block port go to forwarding

    Hi
    I have three 3560 switches in a fully-meshed scenario, an access switch and 2 distribution switches. when connecting these switches in the triangle topology, since STP running by default one of port go to blocking mode and then loop is prohibited. But when in access switch i set tow ports connected toward distribution switches in trunk mode with command "switch port mode trunk" the Blocked port go to forwarding and i can't understand why?because i think the loop there is yet and spanning tree must block one of ports.
    Spanning tree mode is PVST+ and there are 8 VLANs on switches.
    The question is how does this situation occur? i couldn't find reason of this situation.
    Thanks in advance

    Hi, 
           It would be good that if you can provide the configuration that you had on each switch ports.
    Cheers
    Zarni

  • Best Mini Display to DVI adapter for 2011 17" MBP w/no blocked ports!

    I am looking to get a Mini Display to DVI adapter for my 2011 17" MBP.
    +(Preferably it would even be one with a 6' cord.)+
    It is not clear which one I should buy. Apple's (adapter only, no cord), is $30, while I can see others for far less on Amazon.
    I have read that some of these adapters actually block the FW800 and USB ports on either side.
    A blocked, or displaced FW800 port is a deal breaker.
    1. Can someone with a 2011 17" MBP tell me that they have either one of these adapters, or the one with the cord, and that it doesn't block their FW800 port? (I'll pay the $30 (albeit grudgingly) if its the only one that works.)
    2. This may be a dumb question, but the specs on these adapters say that they are capable of 1080p resolution. Would that mean they would work with a 1920x1200 monitor?

    You might want to try the "MBP Display" discussion threads, might be able to find what you are looking for in there or get better support there.
    I don't think I can help very much, but I have the Apple's adapter (no cord) and it doesn't block my usage of FW.

  • How can I use Back to my Mac when my ISP blocks port 1900?

    I was just forced to switch ISPs (don't ask...) and it turns out that my new ISP (Astound) lied to me and actually does block port 1900, which means that Back to my Mac (on which I rely) does not work.
    Has anyone seen this and found a viable workaround? Preferably one that is easy for my non-technical family to use also, but all suggestions are welcome.
    Thank you!

    So, I convinced my ISP to open port 1900 and they did, but it's still not working.
    I get two messages that make no sense to me, but I hope indicated something that someone here can help me undertstand...
    When I open the iCloud preference pane in System Preferences, It says just below the Back to my Mac setting "Configure Router for better performance" - My Airport Extreme is configured with  Back to my Mac and it looks like my account shows a green indicator.
    Second, next to the Back to my Mac setting in the iCloud preference pane, there is a button labeled "Details..." When I click that it tells me that "Back to my Mac is not working properly because the DNS server isnt' responding" and suggests I contact my ISP for a different DNS server.
    All other internet services - including iCloud services - are working fine. I even tried changing my DNS servers to Google's public DNS servers and nothing changed.
    Any suggestions are very much appreciated! Thank you!

  • How to create a new rule in Windows Firewall to permit some specific IPs and block all other computers

    Hello,
    I have a Win7 PC. I want to block all incoming connections except 3 or 4 IPs. How can i do this?
    I created a new rule to block all connections using this steps:
    Inbound rules > New Rule > Custom > All Programs > All Protocols / Ports > All Local/Remote IPs > Block the connectiion > All profiles > Then i gave a name
    This rule works fine and blocks all incoming connections.
    Then i want to create a new rule to allow specific IPs using this steps:
    Inbound rules > New Rule > Custom > All Programs > All Protocols / Ports > Remote IPs: 192.168.10.5, 192.168.10.10 > Allow the connection > All profiles > Then i gave a name
    But 192.168.10.5 and 192.168.10.10 couldn't reach W7 machine. 
    (If rules are disabled or FW is off; both IPs could reach W7 machine)
    Thanks

    Hi,
    How did you check these two IP address? Through remote access? According to your description, it should only allow remote IP could access this computer. Please also allow local IP for test.
    Roger Lu
    TechNet Community Support

  • Possible Blocked Port Halting MSN Messenger Connection?

    Hi everyone,
    I have been running MSN Messenger for months on my Macbook Pro without any problems. The other day at work it was connected as always and I got disconnected. When I tried to reconnect, I kept getting an odd message saying that my sign in details were wrong (they're not). Other people in the same room are still able to access MSN Messenger, just not me. The problem is that even at home now on my home network, I'm not able to connect to it there either. I still get the same error message. Around the same time I did download AIM to use also, so I'm wondering if this has caused a problem or if it's something else. I've looked around online and a lot of people seem to think it's a blocked port 1863. Does anyone have any ideas how to fix this so I can get MSN up and running again? Thanks in advance.
    xx

    Hi,
    Is good to know that you were able to find the workaround. Actually I was on the lab testing this due that I noticed that you had 2671 bypassed requests. Definitely bypassing authenticated traffic is going to resolve the issue, but I also wanted to recommend you to try another solution.
    Add these commands to the CE:
    - http cache-authenticated all
    - http cache-cookies
    and remove the bypass auth-traffic command.
    This would allow the CE to cache as much as possible of the transaction. I tested and it works just fine and the CE is seeing cache hits.
    As a side note, I noticed that the messenger goes on port 80 so you don't have to worry about the port 1863.
    Thanks & Regards,
    Jose.

  • Blocking Port 192

    The company that processes credit card transactions is insisting we block port 192. How is this done? I have hear similar issues from other companies.

    I see from your other posts that you do have an Airport Extreme base station.
    As I indicated, this is not something I know much about either. I'm not even sure that the AEBS is the problem, though it seems to be according to the post I listed. I guess you could temporarily connect your Mac directly to your broadband modem, to see if the claimed vulnerability is still there.
    Assuming the AEBS is the problem, one thing you could try is to disable outside SNMP access - I found another post suggesting that [here|http://forums.macrumors.com/showthread.php?t=602839]. I have an older AEBS, which uses Airport Admin Utility for configuration. It's help section includes
    Protecting your AirPort network from denial-of-service attacks
    Networks managed by Simple Network Management Protocol (SNMP) may be vulnerable to denial-of-service attacks. (SNMP is turned on by default in AirPort Admin Utility.) Similarly, if you allow your base station to be configured remotely over the wide area network (WAN) port, unauthorized users may be able to change network settings.
    To help protect your network and base station:
    Open AirPort Admin Utility, located in Applications/Utilities.
    Select your base station and click Configure. Enter the base station password if necessary.
    Click AirPort, and click Base Station Options. Make sure the Enable SNMP Access and the Enable Remote Configuration checkboxes are not selected.
    If the Enable SNMP Access and Enable Remote Configuration checkboxes are deselected, you must configure the base station using only the local area network (LAN) or the AirPort wireless network.
    The newer Airport Utility may do this differently.
    Hopefully you can also get more help from others who are more knowledgeable about networks. As a last resort you could ask the security company to recommend a wireless router that they know will pass their test.

  • Default LaunchDaemons and open ports?

    I recently have written a port scanner for a project at my university and after running it, I discovered that a large portion of my Macbooks' well known ports was open.
    These were 21 (ftp), 22 (ssh), 23 (telnet), 53 (domain), 79 (finger)!!, 88 (kerberos), 512 (exec)!!, 513 (login), and a bunch of others (see picture below for open ports - afterwards entered @ grc.com).
    I checked, if they are reachable from the internet (see picture below). They were not, but that does not say a lot(?), because if someone wanted to make a bot out of my Mac or collect data from it, this person could contact a C&C server from my machine and start communicating without opening any port of the NAT router, as the router allows bidirectional communication if started by the client(?).
    I checked, if these ports are reachable from within a local network, by requesting the services behind them from another computer running Linux. And they are! Everyone within the Non-VPN networks of my university was and is able to fetch personal information from me over fingerd! To prevent further leakage, I will block any incoming connections from now on.
    > finger user@{Macbook's IP}
    same output as when running locally
    > finger user@localhost
    [localhost]
    Trying ::1...
    Login: MyUserName         Name: MyNameReplaced
    Directory: /Users/MyUserName            Shell: /usr/local/bin/fish
    On since Sun Oct 26 13:02 (CET) on console, idle 7:52 (messages off)
    On since Sun Oct 26 17:15 (CET) on ttys000
    On since Sun Oct 26 20:25 (CET) on ttys001, idle 0:05
    No Mail.
    No Plan.
    I am able to login to the Mac via telnet over the LAN, etc.
    I checked the configuration of my firewall. It is/was activated. Signed software is allowed to accept incoming connections. Cloaking is not activated and I am not blocking every incoming connection. There are five services in the list below, they are all from Apple. I can not remove them. The minus button is grayed out.
    When I ticked 'Block all incoming connections', the services behind the ports were no longer detectable/reachable from the LAN, but the daemons are still running on the Mac!
    So my question is, why are these daemons running?! Why on earth is the fingerd running or exec?! This seems not normal. Who has started them (software or person)? I strongly limit access to my computer. I always lock it, when leaving it unattended. I use NoScript in Firefox. Never do I open attachments from mails.
    I checked the Mac of a friend with my PortScanner (in his LAN and on his Mac) and his has none of the ports open mine has.
    I have not checked my ports/firewall for a long time, so I can't remember if those ports were closed at any time before.
    Meanwhile I will read something about launchd, to gather more information.

    I'm not an expert on this, but I'm not certain what you are concerned about. All messaging in unix systems is done through ports, and so a variety of ports need to be open for normal system operations. OS X out-of-the-box probably strikes a balance between convenience and paranoia - ports that might be more secure closed left open by default so that novice users aren't driven out of their wits - but I can't imagine that it leaves open anything that constitutes a true vulnerability. Or if it does, you should file a bug report.
    I'm told every med student suffers from hypochondria at one point or another, and I know that every comp sci student will sooner or later have a short freak-out over security. So take a deep breath...

  • Configuring socket policy for flex apps(with blocked port 843)?

    We have built several flex-based ecommerce apps for a fortune 500 customer of ours, that for various reasons, we need to use sockets to a different domain and requires a socket policy file, but were having trouble configuring our flex apps for deployment in thier enviornment where they are blocking virtually everything except port 80 . The current documentation in in regards to socket policy files and crossdomain files in a non-standard configuration not using port 843 is not providing any useful help to us.
    Here is the scenario:
    Flex apps are served from domain www.a.com in  to users browsers via http. The apps then make socket connections to domain www.b.com:80 where there are php scripts serving json data to the flex apps via port 80 using http(we use sockets because we need to set and read back http headers). The problem is the flex apps cannot make socket connections to the www.b.com domain without errors like below(unless we setup a socket policy server on port 843 of www.b.com, in which case everything works):
    Warning: Timeout on xmlsocket://www.b.com:80 (at 3 seconds) while waiting for socket policy file.  This should not cause any problems, but see http://www.adobe.com/go/strict_policy_files for an explanation.
    Error: Request for resource at xmlsocket://www.b.com:80 by requestor from http://www.a.com/bin-debug/DownloadManagerFlex.swf is denied due to lack of policy file permissions.
    Error: Request for resource at xmlsocket://www.b.com:80 by requestor from http://www.a.com.us/bin-debug/DownloadManagerFlex.swf is denied due to lack of policy file permissions.
    Since we cannot use port  843 for the socket policy file server, we setup the socket policy server on a different ip in the same domain: spf.b.com:80 (using the sample perl code Adobe provides), and per the docs(cited below), use Security.loadPolicyFile("xmlsocket://spf.b.com:80") before we invoke "socket.connect", to supposedly tell the flash player to check there for the socket policy file. The problem, as you can see from the error log, is that the  loadPolicyFile("xmlsocket://spf.b.com:80") is ignored.
    No matter what we do or how we set things up, we cannot get the flash player to recognize the loadPolicyFile(), it always wants to go to the port were making the socket connection on. It is unclear how to properly configure the flex app, socket policy file and crossdomain file for the above scenario. The docs allude to being able to serve  the socket policy file from a different port 80 in the same domain as the socket connection were trying to make, but were having no luck with that.
    ->Can anyone shed some light on how to make this work or what are we  missing/doing wrong? Also, if we can get this to work, are we  stuck with a 3 second delay because this(very large) customer is blocking port 843?
    As an aside,  the documentation for all this is a bit scattered, unclear and contrdictory:
    One document says:(http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security_07.html)
    "This warning usually means one of two things: first, that you need to set up a
                socket policy file server on port 843, which is the first location that Flash
                Player checks by default; or second, that you need to provide more explicit
                guidance to Flash Player from ActionScript by calling loadPolicyFile to indicate the location
                of a socket policy file. When you call loadPolicyFile rather than allowing Flash Player to check
                locations by default, Flash Player will wait as long as necessary for a
                response from a socket policy file server, rather than timing out after 3
                seconds."
    Another document says(http://www.adobe.com/devnet/flashplayer/articles/socket_policy_files.html):
    "If an ActionScript Security.loadPolicyFile() command exists within               the SWF file, then the Flash Player runtime checks that location. Flash Player checks               the destination of the loadPolicyFile() only after it has checked the               master policy file on port 843 for permission to acknowledge other policy               files. If the developer has not specified a loadPolicyFile() command,               then Flash Player checks the destination port of the connection."

    I found the reason why the Flex application was ignoring the socket policy (crossdomain.XML). I have a policy server that listens to port 843 and submits the policy to the Flex client. My policy was getting ignored by the Flex application and I was getting the sandbox security error you were getting. The solution to this problem isto write a null byte right after the policy server sends the policy. I'm using Apache Mina that is wrtten is Java and the null byte is written as follows:
    public void sessionCreated (IoSession session)
            throws Exception
            session.write(_policy);  -- > policy string
            session.write("\u0000"); --> null byte
             //session.close(true); ---> No need to close the session because it is closed by the Flex client after it receives the null byte.
    Now my Flex application can read and accept the policy from port 843 and I'm not getting more security violations.
    Thanks for your reply,
    Alberto

Maybe you are looking for

  • Help required in boolean pallette

    I will acquire one pulsed signal through DAQ card in labview. Now what exactly I want is that whenever the pulse is High(+5v) it should give me True(Boolean Value) and when pulse is low(0v) it should give me False(Boolean Value).  How this could be d

  • KeyListener kinda deaf (in simple game)

    Hey everyone... I'm trying to write a simple word-guessing game (Lingo, user should guess 5 letter words etc). I've created some custom AWT Components (sorry for the dutch naming): Lettervak: extends Canvas Woordveld: extends Container and contains L

  • CS3 Crashes on "Save As" in Windows XP

    Anyone come accross this and have a solution. I can't use the "Save As" command as CS3 crashes as soon as I try to alter the save destination. Thanks

  • DPM 2012 with Remote SQL

    hi all, I am trying to install DPM 2012 beta on a hyper-v VM that has 4 GB of RAM and 4 Procs. I am trying not to install SQL on the same VM, and instead use a SQL that we have on the network. it's running windows server 2008 R2 and server server 200

  • Error : ORA-32001 & ORA-02095 occurs when trying to alter audit_trial

    Hi All, I am trying to alter the audit_trial parameter to 'db,extended' as need to log SQLTEXT and SQLBIND into the SYS.AUD$. But when I tried to alter the system parameter it gives me the below error. Connected to Oracle Database 11g Release 11.2.0.